Installing Squid Proxy Server on Devuan

As I was suggesting folks out to put the Squid Proxy Server on their PiHole server, I figured i might as well do it too. That way I would know it works and I would also be one step closer to not needing my Pi B+ doing that job.

At first I did the usual

apt-get install squid

as root (sudo). It didn’t find “squid”.

Figuring my system had not been updated in months, I then did the proforma:

apt-get update
apt-get upgrade

And a whole lot of stuff got updated ;-)

But squid still was not found.

root@headless1:/home/chiefio# apt-get install squid
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package squid is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'squid' has no installation candidate

Looking around, this page:

https://www.debiantutorials.com/installing-and-configuring-squid-proxy-server/

was unhelpful in that it still says to just do apt-get install squid. But down in comments there was:

Posted on September 13, 2013
luca

I just installed squid. From repository now the version is squid3, so to start/restart the daemon the correct instruction is:
sudo service squid3 start (or restart)

Which got me thinking… What if the pseudo-package squid didn’t exist, but squid3 does? Well, that worked:

root@headless1:/home/chiefio# apt-get install squid3
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  libjsoncpp0
Use 'apt-get autoremove' to remove it.
The following extra packages will be installed:
  libecap2 libnetfilter-conntrack3 squid-langpack squid3-common
Suggested packages:
  squidclient squid-cgi squid-purge smbclient ufw winbindd
The following NEW packages will be installed:
  libecap2 libnetfilter-conntrack3 squid-langpack squid3 squid3-common
0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
Need to get 2401 kB of archives.
After this operation, 7095 kB of additional disk space will be used.
Do you want to continue? [Y/n] y

And off it went installing squid3.

Then I went to configure /etc/squid/squid.conf and found it wasn’t there either. Being a quick study I did an “ls” in /etc/ and found /etc/squid3 in which you find the config file.

root@headless1:/home/chiefio# ls /etc/squid3
errorpage.css  msntauth.conf  squid.conf
root@headless1:/home/chiefio# vi /etc/squid3/squid.conf 

Then you look for this part of the text and remove the “#” from in front of the “http access allow localnet” line:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.root@headless1:/home/chiefio# service squid3 start
[warn] Starting Squid HTTP Proxy 3.x: squid3[....] Creating Squid HTTP Proxy 3.x cache structure ... (warning).
2018/12/22 20:54:30| Squid is already running!  Process ID 8363
 failed!
root@headless1:/home/chiefio# service squid3 stop
[ ok ] Stopping Squid HTTP Proxy 3.x: squid3[....]  Waiting.....................done.
. ok 
root@headless1:/home/chiefio# service squid3 start
[warn] Starting Squid HTTP Proxy 3.x: squid3[....] Creating Squid HTTP Proxy 3.x cache structure ... (warning).
2018/12/22 20:55:28 kid1| Set Current Directory to /var/spool/squid3
2018/12/22 20:55:28 kid1| Creating missing swap directories
2018/12/22 20:55:28 kid1| /var/spool/squid3 exists
2018/12/22 20:55:28 kid1| Making directories in /var/spool/squid3/00
. ok 
root@headless1:/home/chiefio# 2018/12/22 20:55:31 kid1| Making directories in /var/spool/squid3/01
2018/12/22 20:55:32 kid1| Making directories in /var/spool/squid3/02
2018/12/22 20:55:33 kid1| Making directories in /var/spool/squid3/03
2018/12/22 20:55:36 kid1| Making directories in /var/spool/squid3/04
2018/12/22 20:55:37 kid1| Making directories in /var/spool/squid3/05
2018/12/22 20:55:38 kid1| Making directories in /var/spool/squid3/06

# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

and remove the “#” from in front of the lines defining what localnet might be. I’ve uncommented all three of the non-routing IPv4 lines and I hope it will make all three active in one go. If not, I can give each one a unique name and have three access allow lines.

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

As I sporadically use any and all of the non-routing space internally, I’d like them all to have access to the proxy server.

The config file has more options than real person could ever need or want. Likely due to use in places like mega-corps with 150,000 employees on 5 continents… It does have one other option you might care about. By default it uses just one core. On the Pi B+ it only has one core so I left it alone. Since it did just dandy at 700 MHz I know one core of the Pi M2 at 900 MHz will also be fine, especially since the DNS activity will be on a different core (on the B+ both happened on the same core and it was fine).

So you could configure this to use multiple cores if you wanted to. Though it is unlikely you would ever need that in a home.

I also chose to bump up the local cache object size and lifetime. I have a lot of unused space on this card at 11 GB, so storing a few GB of cached “stuff” would save me a lot of network bandwidth / latency at essentially zero cost. eventually it might wear out the uSD card, but that’s $10 down the road a long ways…

Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/root       15153856 3089464  11276752  22% /
#  TAG: maximum_object_size     (bytes)
#       Set the default value for max-size parameter on any cache_dir.
#       The value is specified in bytes, and the default is 4 MB.
#
#       If you wish to get a high BYTES hit ratio, you should probably
#       increase this (one 32 MB object hit counts for 3200 10KB
#       hits).
#
#       If you wish to increase hit ratio more than you want to
#       save bandwidth you should leave this low.
#
#       NOTE: if using the LFUDA replacement policy you should increase
#       this value to maximize the byte hit rate improvement of LFUDA!
#       See cache_replacement_policy for a discussion of this policy.
#Default:
# maximum_object_size 4 MB

I set that to:

maximum_object_size 64 MB

Just because waiting for large PDF docs or big binaries again and again does not make my day. And like I said, I’ve got lots of space. There are dozens of tuning opportunities for the cache. By default it only uses memory cache. And only 100 MB. I’ve set mine to 2 GB.

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid3 100 16 256

becomes

cache_dir ufs /var/spool/squid3 2000 320 256

There are things to consider in those numbers and here’s some of the (limited) guidance. Since actual optimal will depend on number and size of files you fetch (pages) over time you can look at your cach_dir and make changes.

#       You can specify multiple cache_dir lines to spread the
#       cache among different disk partitions.
#
#       Type specifies the kind of storage system to use. Only "ufs"
#       is built by default. To enable any of the other storage systems
#       see the --enable-storeio configure option.
#
#       'Directory' is a top-level directory where cache swap
#       files will be stored.  If you want to use an entire disk
#       for caching, this can be the mount-point directory.
#       The directory must exist and be writable by the Squid
#       process.  Squid will NOT create this directory for you.
#
#       In SMP configurations, cache_dir must not precede the workers option
#       and should use configuration macros or conditionals to give each
#       worker interested in disk caching a dedicated cache directory.
#
#
#       ====  The ufs store type  ====
#
#       "ufs" is the old well-known Squid storage format that has always
#       been there.
#
#       Usage:
#               cache_dir ufs Directory-Name Mbytes L1 L2 [options]
#
#       'Mbytes' is the amount of disk space (MB) to use under this
#       directory.  The default is 100 MB.  Change this to suit your
#       configuration.  Do NOT put the size of your disk drive here.
#       Instead, if you want Squid to use the entire disk drive,
#       subtract 20% and use that value.
#
#       'L1' is the number of first-level subdirectories which
#       will be created under the 'Directory'.  The default is 16.
#
#       'L2' is the number of second-level subdirectories which
#       will be created under each first-level directory.  The default
#       is 256.
#

As I jumped up the size by 20 x I just jumped up the directories by the same amounts.

While it claims you must make the directory, it looks like the Devuan / Debian install process created it for me.

And with that, you start it running!

root@headless1:/home/chiefio# service squid3 start
[warn] Starting Squid HTTP Proxy 3.x: squid3[....] Creating Squid HTTP Proxy 3.x cache structure ... (warning).
2018/12/22 20:54:30| Squid is already running!  Process ID 8363
 failed!
root@headless1:/home/chiefio# service squid3 stop
[ ok ] Stopping Squid HTTP Proxy 3.x: squid3[....]  Waiting.....................done.
. ok 
root@headless1:/home/chiefio# service squid3 start
[warn] Starting Squid HTTP Proxy 3.x: squid3[....] Creating Squid HTTP Proxy 3.x cache structure ... (warning).
2018/12/22 20:55:28 kid1| Set Current Directory to /var/spool/squid3
2018/12/22 20:55:28 kid1| Creating missing swap directories
2018/12/22 20:55:28 kid1| /var/spool/squid3 exists
2018/12/22 20:55:28 kid1| Making directories in /var/spool/squid3/00
. ok 
root@headless1:/home/chiefio# 2018/12/22 20:55:31 kid1| Making directories in /var/spool/squid3/01
2018/12/22 20:55:32 kid1| Making directories in /var/spool/squid3/02
2018/12/22 20:55:33 kid1| Making directories in /var/spool/squid3/03
2018/12/22 20:55:36 kid1| Making directories in /var/spool/squid3/04
2018/12/22 20:55:37 kid1| Making directories in /var/spool/squid3/05
2018/12/22 20:55:38 kid1| Making directories in /var/spool/squid3/06

Well that was interesting… it was already running from the install. So I stopped and restarted it so it could proceed to make all those directories and get back to work, but now with a large “disk” cache. The config file has options for multiple disks and multiple file systems and more…

So far it looks like the server is quite happy with both squid and PiHole running.

Subscribe to feed

Advertisements

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , . Bookmark the permalink.

2 Responses to Installing Squid Proxy Server on Devuan

  1. E.M.Smith says:

    FWIW, I also got around to putting an exception list in my browser for local networks in the “no proxy for” box:

    localhost, 127.0.0.1, 192.168.1.0/24, 10.0.0.0/8
    

    Since I rarely use the 172.16.0.0/12 block just because it is an odd size and 10 dot is sooo large, I just left it out. So no more need to play with proxy settings inside the home / lab. Once Pocket PiHole is up and running then it, too, will be a constant config on the laptop / tablet ;-)

    Also note that in this case the dns built into Squid looks at the PiHole as it has 127.0.0.1 in resolv.conf file, but if you need to assure it gets PiHoled you must set that IP number in the Squid.conf file:

    #  TAG: dns_nameservers
    #       Use this if you want to specify a list of DNS name servers
    #       (IP addresses) to use instead of those given in your
    #       /etc/resolv.conf file.
    #
    #       On Windows platforms, if no value is specified here or in
    #       the /etc/resolv.conf file, the list of DNS name servers are
    #       taken from the Windows registry, both static and dynamic DHCP
    #       configurations are supported.
    #
    #       Example: dns_nameservers 10.0.0.1 192.172.0.4
    
  2. E.M.Smith says:

    Oh, and just so folks are too wound up by my praise for Proxy Servers:

    Note that they can not cache httpS encrypted links. Over time as https has become more the norm this has reduced the value of the cache (so turn it up larger inside your browser… I have mine set at 1 GB). It can still act a a proxy channel (so reverse attacks only see it and must break it to get to your desktop) so it still has value. Also any non-encrypted things will still be cached.

    Over time the cache collects what it can. After running a while you can check the cache usage and see if it is important to you or not. I’ve run one since before HTTPS existed so have my habits ;-)

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.